b'Final Assessment Report 07-02, November 27, 2006, \xe2\x80\x9cWebTrust Assessment of GPO\xe2\x80\x99s\nCertification Authority \xe2\x80\x93 Attestation Report\xe2\x80\x9d\n\n\nGPO implemented a Public Key Infrastructure (PKI) to support its \xe2\x80\x9cborn digital and\npublished to the web\xe2\x80\x9d methodology to meet GPO customer expectations that documents\nare official and authentic. The GPO PKI also directly supports GPO\xe2\x80\x99s mission related to\nelectronic information dissemination and e-government. The GPO PKI recently became\ncross-certified with the Federal Bridge Certificate Authority (FBCA) whose certification\nprovisions require that the GPO PKI undergo a compliance review. To satisfy this\ncompliance requirement, the GPO Office of Inspector General (OIG) tasked an\nindependent public accounting (IPA) firm to conduct a WebTrust assessment of its\nCertification Authority (CA). The assessment was conducted in accordance with the\nAmerican Institute of Certified Public Accountants (AICPA) \xe2\x80\x9cWebTrust Principles and\nCriteria for Certificate Authorities.\xe2\x80\x9d The assessment represents an evaluation of whether\nGPO management\xe2\x80\x99s assertions related to the adequacy and effectiveness of controls over\nits CA operations is fairly stated based on underlying principles and evaluation criteria.\n\nA pre-assessment was performed to identify gaps and deficiencies between the current\nGPO PKI environment and the required criteria of the WebTrust Program for CA.\nDuring the final WebTrust phase, controls were tested to gather support for an opinion\nregarding compliance with applicable WebTrust principles and criteria for certification.\nAs a result of work performed in the final WebTrust phase, the IPA issued an Attestation\nReport which expresses their opinion that GPO management\xe2\x80\x99s assertions regarding its\nCA operations is fairly stated in all material respects. This opinion is contained in the\nfinal report, which is considered sensitive.\n\x0c'